b'Management Advisory\n\n\n\nFiscal Year 2010 Sarbanes-\nOxley Testing for Selected\n   Business Processes\n\n\n\n Report Number FT-MA-11-003\n         May 19, 2011\n\x0c                                                                            May19, 2011\n\n                                            Fiscal Year 2010 Sarbanes-Oxley Testing\n                                                    for Selected Business Processes\n\n                                                         Report Number FT-MA-11-003\n\n\n\n\nIMPACT ON:                                   internal controls over financial reporting,\nFinancial internal control testing           providing our results to management\nperformed by the U.S. Postal Service\xe2\x80\x99s       may assist them in improving their\nSarbanes-Oxley (SOX) Management              FY 2011 SOX testing documentation\nControls and Integration group               and, as a result, better assessing their\n                                             control environment.\nWHY OIG DID THE REVIEW:\nThe objective of our review was to           WHAT OIG RECOMMENDED:\nevaluate the FY 2010 SOX testing             We did not make recommendations but\ndocumentation to determine whether           provided our observations to assist\nPostal Service management properly           management in its FY 2011 SOX\ntested, documented, and reported its         testing.\ntesting of specific key SOX financial\nreporting controls within the air            WHAT MANAGEMENT SAID:\ntransportation, highway transportation,      We did not make any recommendations\ncompensation and benefits, personal          in this report and, as a result,\nproperty/equipment, and motor vehicles       management chose not to respond\nbusiness processes.                          formally to this report.\n\nWHAT OIG FOUND:\nThe SOX Program Management Office\n(PMO) properly tested, documented,\nand reported its examination of key SOX\nfinancial reporting controls in FY 2010\nfor air transportation, highway\ntransportation, and personal\nproperty/equipment. However, for the\ncompensation and benefits process and\nmotor vehicles process, the U.S. Postal\nService Office of Inspector General\n(OIG) determined the documentation\nwas insufficient to allow it to replicate\nthe SOX PMO\xe2\x80\x99s testing or reach the\nsame conclusions. Since complete and\naccurate documentation of SOX testing\nis critical to reaching an overall\nconclusion on the effectiveness of\n\x0cMay 19, 2011\n\nMEMORANDUM FOR:                   STEVEN R. PHELPS\n                                  MANAGER, SOX MANAGEMENT CONTROLS AND\n                                  INTEGRATION\n\n\n                                                                     for\nFROM:                             John E. Cihota\n                                  Deputy Assistant Inspector General\n                                   for Financial Accountability\n\nSUBJECT:                          Management Advisory \xe2\x80\x93 Fiscal Year 2010\n                                  Sarbanes-Oxley Testing for Selected Business Processes\n                                  (Report Number FT-MA-11-003)\n\nThis report presents the results of our review of the U.S. Postal Service\xe2\x80\x99s Sarbanes-\nOxley (SOX) testing documentation completed for fiscal year (FY) 2010 for specific key\nSOX financial reporting controls within selected business processes1 (Project Number\n11BM001FT001). We did not make any recommendations in this report and, as a result,\nmanagement chose not to respond formally to this report.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Lorie Nelson, director,\nFinancial Reporting, or me at 703-248-2100.\n\nAttachments\n\ncc: Joseph Corbett\n    Timothy F. O\xe2\x80\x99Reilly\n    Jessica L. Doelling\n    Douglas G. Germer\n    Harold E. Stark\n    Corporate Audit and Response Management\n\n\n\n\n1\n  We reviewed the FY 2010 SOX Program Management Office\xe2\x80\x99s testing documentation for specific key controls within\nthe air transportation, highway transportation, compensation and benefits, personal property/equipment, and motor\nvehicles business processes.\n\x0cFiscal Year 2010 Sarbanes-Oxley Testing for                                                              FT-MA-11-003\n Selected Business Processes\n\n\n                                               TABLE OF CONTENTS\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 1\n\nTable 1 \xe2\x80\x93 Results of Documentation Review................................................................... 2\n\nRecommendations .......................................................................................................... 4\n\nAppendix A: Additional Information ................................................................................. 5\n\n   Background ................................................................................................................. 5\n   Objective, Scope, and Methodology ............................................................................ 5\n   Prior Audit Coverage ................................................................................................... 6\n\x0cFiscal Year 2010 Sarbanes-Oxley Testing for                                           FT-MA-11-003\n Selected Business Processes\n\n\n\nIntroduction\n\nThis report presents the results of our review of the U.S. Postal Service\xe2\x80\x99s Sarbanes-\nOxley (SOX) testing documentation completed for fiscal year (FY) 2010 for specific key\nSOX reporting controls within selected business processes2 (Project Number\n11BM001FT001). Our objective was to evaluate the testing documentation to determine\nwhether Postal Service management properly tested, documented, and reported its\ntesting of specific key SOX financial reporting controls within the five business\nprocesses selected. This review addresses financial risk. See Appendix A for additional\ninformation about this review.\n\nWe conducted our review of completed FY 2010 SOX PMO testing documentation, in\npart, at the request of the independent public accountant (IPA), to assist in determining\nthe reliance that can be placed in FY 2011 and into the future on the internal control\ntesting documentation over the five business process areas. Our review also provided\nmanagement with information they can use to improve the quality and reporting of their\ntesting of key SOX financial controls in FY 2011.\n\nConclusion\n\nThe SOX PMO properly tested, documented, and reported its examination of key SOX\nfinancial reporting controls in FY 2010 for air transportation, highway transportation, and\npersonal property/equipment. However, for the compensation and benefits process and\nmotor vehicles process, the U.S. Postal Service Office of Inspector General (OIG)\ndetermined the documentation was insufficient to allow it to replicate the SOX PMO\xe2\x80\x99s\ntesting or reach the same conclusions. Because complete and accurate documentation\nof SOX testing is critical to reaching an overall conclusion on the effectiveness of\ninternal controls over financial reporting, providing our results to management may\nassist them in improving their FY 2011 SOX testing documentation and, as a result,\nbetter assessing their control environment.\n\nDocumentation of Testing\n\nIn most instances, the documentation included a clear understanding and evidence of\nlinkage to significant exceptions, cross-references to the tests performed, identification\nof individuals who performed the test and when they performed them, as well as\nidentification of who reviewed the test documents and the dates of the reviews. In many\ninstances, the documentation included a clear understanding and evidence of the\ndocument\xe2\x80\x99s purpose, source, and cross-referencing of key information. Further, for the\nair and highway transportation and the personal property/equipment business\n\n2\n We reviewed the FY 2010 SOX Program Management Office\xe2\x80\x99s (PMO) testing documentation for specific key\ncontrols within the air transportation, highway transportation, compensation and benefits, personal\nproperty/equipment, and motor vehicles business processes.\n                                                             1\n\x0cFiscal Year 2010 Sarbanes-Oxley Testing for                            FT-MA-11-003\n Selected Business Processes\n\n\nprocesses, we concluded we could re-perform the SOX PMO\xe2\x80\x99s testing based on the\ndocumentation and agreed with the testers\xe2\x80\x99 conclusions.\n\nHowever, opportunities exist to improve testing documentation. For example, some\nsupporting documents were insufficient or omitted, making it difficult to corroborate the\nwork performed and conclusions reached. For compensation and benefits, testers found\nexceptions they noted as insignificant, but they did not provide the documentation that\nsupported the exceptions. This made it difficult to reach the same conclusion as the\ntesters. For motor vehicles, testers did not follow-up on 20 vehicle maintenance facility\nmotor vehicle inventories that were outstanding well past year-end. As a result, we did\nnot agree with the conclusions reached by the testers for these business processes.\n\nIn addition, we found the SOX PMO could enhance the testing documentation in all\nareas by better identifying computer generated information and critical spreadsheets\nand providing a more complete explanation of the source from which samples were\nselected and the sampling methodologies used. Frequently, the testing documentation\ndid not demonstrate discussion of the accuracy and completeness of the computer\ngenerated information reports and critical spreadsheets used in testing. See Table 1 for\nspecific results including examples of well-documented testing practices and suggested\nimprovements.\n\n                        Table 1 \xe2\x80\x93 Results of Documentation Review\n\n Areas Reviewed                  Instances of Well-                Suggested\n                               Documented Testing                Improvements\nAir Transportation            Clearly explained when       Random selection portion of\n                              tests were not applicable    the sampling methodology\n                              and what test steps were     used should be more clearly\n                              performed.                   explained.\n                              Documentation contained a    Control description should be\n                              test example with            clearly defined.\n                              supporting documents and     Table needed to support the\n                              testing was adequately       results of attribute testing.\n                              explained.\nHighway                       Well-documented attribute    Support for at least one\nTransportation                testing.                     sample item needed.\n                              Information was cross-       Explanation needed to\n                              indexed and linked           support why control tests\n                              between documents.           received late in the year were\n                              Clearly documented test      not performed.\n                              attributes.\n\n\n\n\n                                              2\n\x0cFiscal Year 2010 Sarbanes-Oxley Testing for                             FT-MA-11-003\n Selected Business Processes\n\n\nPersonal                      Clearly explained sampling    Explanation needed for how\nProperty/Equipment            procedures and selected       the sample was determined\n                              items.                        and selected.\n                              Tickmark definitions were     Sample test should be\n                              clear and use of text boxes   performed at required time.\n                              helped with understanding     Attribute descriptions\n                              what the testers did.         appropriate to the tests\n                              Provided sufficient source    performed are needed.\n                              information.\n                              Clearly linked inquiry test\n                              steps and inquiry results.\nCompensation and              Narrative is sufficient and   Documentation needed to\nBenefits                      understandable.               support all exceptions found,\n                              Format was complete           and support needed for\n                              and/or support was clear      determinations that\n                              and well annotated.           exceptions are insignificant.\n                                                            Copies of key Certifying\n                                                            Officer signature cards\n                                                            needed.\n                                                            Correct references needed\n                                                            for all items in the narrative.\n                                                            Action taken on computer-\n                                                            generated reports should be\n                                                            documented.\nMotor Vehicles                Format was complete           Testers should complete\n                              and/or support was clear      follow-up work.\n                              and well annotated.           Explanations needed for\n                              Clearly indicated date of     random number generator\n                              supporting computer-          and sampling methodology\n                              generated reports used as     used.\n                              well as, for certain sub-     Complete vehicle information\n                              samples taken, the number     needed when testing\n                              and types of transactions     controls.\n                              available and selected.       Cross-referenced vehicles\n                              Clearly indicated and         should match.\n                              explained revised sample      Testers should provide the\n                              dates.                        workpaper purpose and\n                              Clearly identified certain    make sure it is correctly\n                              reports used.                 stated.\n\n\n\n\n                                                3\n\x0cFiscal Year 2010 Sarbanes-Oxley Testing for                         FT-MA-11-003\n Selected Business Processes\n\n\nOverall                                                  Testers should put all test\n                                                         documentation in the\n                                                         Governance, Risk, and\n                                                         Compliance Manager\n                                                         (GRCm) system. Financial\n                                                         Control and Support (FCS)\n                                                         documentation was not in the\n                                                         system, and we were not\n                                                         always able to obtain it from\n                                                         FCS employees.\n                                                         For all computer-generated\n                                                         reports used in testing,\n                                                         testers should be sure the\n                                                         accuracy and completeness\n                                                         of the reports is cross\xe2\x80\x93\n                                                         referenced and supported.\n\nRecommendations\n\nWe are not making recommendations because the IPA will make the decision on\nwhether it will use the work of the SOX PMO in its FY 2011 audit. However, we are\nproviding this information to assist the SOX PMO in improving its FY 2011 SOX testing\ndocumentation.\n\n\n\n\n                                              4\n\x0cFiscal Year 2010 Sarbanes-Oxley Testing for                                                  FT-MA-11-003\n Selected Business Processes\n\n\n                                 Appendix A: Additional Information\n\nBackground\n\nTo comply with Section 404 of the SOX Act of 2002, Postal Service management must\nreport on its assessment of the effectiveness of internal controls over financial reporting.\nIt must submit an annual assessment to the Postal Regulatory Commission, which\nmonitors and manages the Postal Service\xe2\x80\x99s compliance with SOX. To meet these\nrequirements, Auditing Standard (AS) No. 53 allows the auditor to use the work\nperformed by internal employees or contractors working under the direction of\nmanagement in its assessment of the effectiveness of internal control over financial\nreporting. However, the auditor should evaluate the extent to which it will use the work\nof others to reduce the work the auditor might otherwise perform. In consideration of the\nAS No. 5 guidance, the IPA requested the OIG to assist in the review of FY 2010 SOX\nPMO testing documentation for specific key financial reporting controls. The SOX PMO\nteam4 and FCS performed the testing of the specific key financial reporting controls over\nthe five business processes reviewed.\n\nObjective, Scope, and Methodology\n\nThe objective of our review was to evaluate the testing documentation to determine\nwhether Postal Service management properly tested, documented, and reported its\ntesting of specific key SOX financial reporting controls in FY 2010 within the five\nselected business processes.\n\nFollowing guidance outlined in AS No. 3,5 and in collaboration with the IPA, we\nidentified specific key financial reporting controls and testing documentation to evaluate\nand developed a data collection instrument to record our review. Based on the controls\nand documentation specified, we accessed the SOX documentation repository, the\nGRCm, and extracted the FY 2010 testing documentation. For testing documentation\nthat was not retained in GRCm, we obtained the documents from the Postal Service\nFCS group.\n\nTo perform the review, we examined the completed FY 2010 SOX PMO testing\ndocumentation for specific key controls within the five selected business processes. We\nreviewed the documents for such items as source and purpose and a linkage to findings\nand controls tested. We examined the documents to verify that testers organized them\nin a manner that provided a clear pathway to the conclusions reached and provided an\nunderstandable description of the transactions and records the testers reviewed. Based\non these actions, we assessed whether the documentation contained sufficient\nevidence that would allow us to replicate the tests for the five business processes\nshould the IPA determine it will use the work of the SOX PMO in its FY 2011 audit.\n\n3\n  An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements,\nPublic Company Accounting Oversight Board (PCAOB), dated July 27, 2007.\n4\n  Management contracted with Deloitte & Touche LLP and Global Resources to perform its FY 2010 SOX testing.\n5\n  Audit Documentation, PCAOB, dated June 9, 2004.\n\n\n                                                          5\n\x0cFiscal Year 2010 Sarbanes-Oxley Testing for                          FT-MA-11-003\n Selected Business Processes\n\n\n\nWe conducted this review from February through May 2011 in accordance with the\nCouncil of the Inspectors General on Integrity and Efficiency, Quality Standards for\nInspection and Evaluation. We discussed our observations and conclusions with\nmanagement on April 27, 2011, and included their comments where appropriate. We\ndid not rely on computer-generated data for the purposes of this review.\n\nPrior Audit Coverage\n\nThe OIG has not performed prior reviews related to this objective.\n\n\n\n\n                                              6\n\x0c'